Update React on Rails to 16.1.1 and move SSR to private directory (#656)

justin808 · web-flow · commit 5385b64bc3a6 · 2025-09-28T14:11:06.000-10:00
Relocate server-side rendering bundles from public assets to a private
directory following React on Rails 16 security best practices.

Changes:
- Configure webpack to output server bundles to ssr-generated directory
- Update React on Rails config to use server_bundle_output_path setting
- Add ssr-generated and client/app/generated to .gitignore
- Move path require to top of file for proper code organization

Configuration:
- Uses React on Rails default path: ssr-generated
- Server bundle remains named server-bundle.js
- Client assets continue to output to public/packs

Security Impact:
- Server bundles are now isolated from publicly accessible assets
- Prevents potential exposure of server-only code and dependencies
- Follows React on Rails 16+ recommended security patterns

Compatibility:
- No breaking changes for existing deployments
- Server rendering continues to work transparently
- Client-side functionality unchanged

This change only affects the build output location for SSR bundles.
The application behavior remains identical, with improved security
by keeping server-only code separate from public web assets.
diff --git a/.gitignore b/.gitignore
@@ -52,3 +52,10 @@ lib/bs
 /lib/ocaml
 
 client/app/bundles/comments/rescript/**/*.bs.js
+
+# Server-side rendering bundles (private)
+# Using React on Rails default directory
+/ssr-generated/
+
+# Generated files
+/client/app/generated/
diff --git a/config/initializers/react_on_rails.rb b/config/initializers/react_on_rails.rb
@@ -14,6 +14,11 @@
   # not affect performance.
   config.server_bundle_js_file = "server-bundle.js"
 
+  # Server bundle output path for private SSR bundles (React on Rails 16+)
+  # This keeps server bundles separate from public assets for security
+  # Using the default from React on Rails docs
+  config.server_bundle_output_path = "ssr-generated"
+
   # React on Rails 16 compatibility: Workaround for removed error handling
   #
   # BREAKING CHANGE in v16: React on Rails 14.2.1 had robust error handling that would
diff --git a/config/webpack/serverWebpackConfig.js b/config/webpack/serverWebpackConfig.js
@@ -1,6 +1,7 @@
 // The source code including full typescript support is available at:
 // https://github.com/shakacode/react_on_rails_tutorial_with_ssr_and_hmr_fast_refresh/blob/master/config/webpack/serverWebpackConfig.js
 
+const path = require('path');
 const { config } = require('shakapacker');
 const commonWebpackConfig = require('./commonWebpackConfig');
 
@@ -45,12 +46,14 @@ const configureServer = () => {
 
   // Custom output for the server-bundle that matches the config in
   // config/initializers/react_on_rails.rb
+  // Output to a private directory for SSR bundles (not in public/)
+  // Using the default React on Rails path: ssr-generated
   serverWebpackConfig.output = {
     filename: 'server-bundle.js',
     globalObject: 'this',
     // If using the React on Rails Pro node server renderer, uncomment the next line
     // libraryTarget: 'commonjs2',
-    path: config.outputPath,
+    path: path.resolve(__dirname, '../../ssr-generated'),
     publicPath: config.publicPath,
     // https://webpack.js.org/configuration/output/#outputglobalobject
   };
